Open Source

In recent weeks I have met several companies focusing on innovating security intelligence. Those encounters brought up an interesting challenge facing such innovations: in most cases innovators have a good idea but find it too expensive to build the required infrastructure. There is no use for an icing for a cake you cannot bake after all.

What are the possible solutions? How productizing innovation actually works? can it be improved?

My previous RSA 2012 call for action, security IQ, compared information security to heavily regulated and competitive industries such as the drugs and aviation industries, calling for a standard qualification mechanism, governmental or academic.

However, this may not be the only model the information security should take to ensure we are all better prepared for future security challenges. An alternative approach is to deviate to some degree from the commercially centric nature of the industry and work more closely together.

The question is what should be the model? A Leviathan model may provide the best security but is too utopian for an area which is mostly commercially driven....

An interesting case study by Joshua Drummond from UC Irvine compares two open source WAFs, ModSecurity and WebKnight to an unnamed commercial WAF. The results shed light not just on the difference between open source and commercial solutions but also highlight key requirements from a WAF. It seems that the two issues Joshua finds with Open Source WAFs are manageability and positive security. It would be interesting to see if the two new Open Source WAFs on the block would address those shortcomings.

It is no secret that the WAF market has not sky rocketed in recent years. With most open source security closing up, open source security has also seen better days. Do the two stand better chances together? Two open source WAFs announcements from WAF veterans during RSA will put this to a test....